SAMexpert Microsoft Licensing Experts

Note: This article of mine was first published by CNews as a part of a larger article called "Microsoft: how to get rid of software chaos" around August 2007. I'm publishing it in its entirety, with all their edits, including their version of the title of the article. I would have rewritten a lot of it already, but history is history. This is also a rough translation from Russian so some things had to be interpreted.

How to get rid of illegal software – this topic has recently begun to occupy minds of many IT-directors [in Russia]. The main driving factor of that is strengthening of the government control in the legal sphere. There have been a number of high-profile criminal prosecution cases. There have been recent changes in the legislation regarding Intellectual Property rights. In courts, IT-directors and system administrators have become the main targets for prosecution. On the other hand, the benefits of transitioning to legal software are obvious: availability of technical support, timely security updates etc.

A pleasant trend for most CIOs is the increased attention of non-technical managers to the reliability of IT infrastructure, as well as to the management of risks associated with the use of IT. CFOs go further – they now require more transparent IT budgets, clearer ROI, and would welcome managing software as assets.

And so, CIOs have come to a situation where they need to "legalise" software use.

Approaches to software "legalisation"

There are two approaches. One is a point-in-time elimination of illegally used software followed by deploying only necessary, licensed, copies. This option is known by the name "legalisation".

The second long-term approach is to adopt a day-to-day management system: a set of policies, processes and procedures strategically aimed at effective software asset management. The goal is to continuously maintain efficiency of use of software, its relevance to the business processes in the organisation.

With the lack of qualified in-house resource, this may be outsourced to subject-matter experts from consulting companies.

Implementation of Licence Management, or more correctly, Software Asset Management, would normally go through the same core stages but the efforts and the costs may vary.

The core stages of SAM implementation

The work is preceded by an initial introductory phase. It is necessary to get a general idea about the organisation, its IT infrastructure, and the software used, to make an initial assessment of the scope and budget of work.

There are also a number of questions worth getting answers to before the work begins. Who and how manages all software purchases? Who is responsible for end-user support? Who is responsible for license compliance? How IT assets are managed? Is there a contract and proof-of-licence management system?

Among the technical issues, concentrate on those affecting the cost of SAM implementation the most. How many computers does the organisation have? How many departments there are: branches, warehouses etc. How are they connected? How many mobile devices are used and are they managed? How difficult is it to get access to them?

Then you can proceed with the initial audit. The first step is to find out what software is installed and how much of it is in actual use. It is important to get figures that are accurate down to a single instance, as even one unlicensed use of software is a compliance issue.

"Lightweight" tools

At this stage, you may consider using automated tools to inventory and monitor software usage. If the purpose of your work is a one-off "legalisation", you cab achieve your goals with one of a few of "lightweight" tools. Such software tools, as a rule, are low-cost – from 200 roubles per computer, and even free sometimes. They don't require a steep learning curve. They usually have fairly low system requirements. Often, all you need is a workstation. A good example would be Microsoft Software Inventory Analyzer, which is free.

However, "lightweight" tools also have their own drawbacks. The lower the price, the less data is collected, the lower are the recognition capabilities. Some software titles cannot be inventoried by scanning only the registry, without checking the contents of hard disks. And some may have additional licensing terms that cannot be easily verified with "lightweight" tools.

Professional software asset management tools

If an organisation faces the task of solving strategic software asset management issues, it is worth considering a professional asset management tool. Among such tools are, for example, Microsoft System Management Server (SMS) and Avocent LanDesk.

The benefits of such tools include day-to-day ability to manage software as assets, having information on their use in almost real time, approaching changes proactively, distributing and re-harvesting software in a centralised manner.

When estimating the costs, it is necessary to consider not only the cost of the licence for the tool itself, but also costs of its installation and implementation. And of course, don't forget the costs of the initial inventory data gathering.

The result of this stage shall be a detailed report on installed and used software.

Proof of licence

The next step is to collect proof of existing licences so they can be compared to the results of the software inventory to establish the compliance position in the organisation.

Here, one should keep in mind that licences may be both on paper and in electronic form. Pay special attention to the “free” software’s terms and conditions. For example, the free version of AVG antivirus may only be deployed on personal computers, and although the free version of Google Earth may be installed on any computer, it is only for personal use.

Licences may be accompanied by other documents, such as stickers for the computer case (usually, OEM versions of products), certificates of authenticity (COA). In addition, each licence must be accompanied by "proof of purchase” – supplier contracts, order forms, and invoices.

Physical, and sometimes electronic, master copies must be accounted for and audited, regardless of the type of licence. A licence may also require other accompanying assets, such as packaging and operating manuals.

It is important to understand that a licence is a legally complex document with a load of technical details. It is not always possible for legal professionals to understand and see all the convoluted technical aspects and usage conditions. Licence analysis work requires involvement of a subject-matter expert.

Costs at this stage depend on the quantity of software titles, and how well the licences and collateral assets have been stored, accounted, and organised.

If the purpose is a one-off "legalisation", the work may be consider almost completed. However, it is still necessary to evaluate the audit results and procure the necessary licences. Sub-optimal licensing may and shall be identified including, oddly enough, excessive, unnecessary licensing. The one-off “legalisation" work ends when all the software in use fully complies with the existing licenses' terms and conditions.

What's next?

Does it make sense to implement licence management after "legalisation"? The choice is between recurring “hole patching", i.e. somewhat regular realignment of licences with used software, and day-to-day proactive control of software assets and associated risks.

In case an organisation decides to take the strategic approach, the ISO/IEC 19770-1:2006 standard called "Information technology – Software asset management - Part 1: Processes" can serve as a solid foundation for implementation of necessary policies, processes and procedures.

The advantage of implementing SAM for financial management is in optimising and managing costs of software procurement – both through discounts on well planned volume purchases and by reducing total procured volume through optimisation of assets and licence re-harvesting. Another benefit is the lower cost of negotiating with suppliers through the availability of more complete information about the organisation's assets, internal standards and requirements. Optimisation of collateral IT costs is also worth mentioning. Successful implementation of licence management processes, for example, drives reduction of technical support costs.

Using ISO/IEC 19770 as a foundation and a guidance, an organisation can develops its own rules, policies, processes and procedures governing such aspects as accounting, asset storage, asset utilisation, workplace standardisation, update processes, software installation, change management, incident management processes, license reuse and decommissioning. In total, the standard establishes over 20 groups of policies, processes and regular procedures aimed at professional, efficient software and collateral asset management.

A transition to full compliance cannot be done momentarily. Full implementation can affect many processes within an organisation, so a sound action plan is needed. There is no one-size-fits-all implementation plan.

What is implemented

Software Asset Management tools are needed to regularly measure installed copies of software and its usage.

In addition, consider implementing databases storing all kinds of licence collateral: basic (underlying) licences, effective full licences, contracts, licence agreements, electronically signed documents, keys – all electronic documentation supporting your software assets.

To be ISO-compliant and efficient, It is also mandatory to implement Journaling and protocoling of basically everything. There are, at a minimum, requirements to record all activities and outcomes related to procurement and relationship management, change, incident and problem management, deployment management, and release and development management.

Approved procedures must have executive sign-off in accordance with accepted practices in the organisation. There shall also be necessary changes to agreements with contractors and customers, and employment contracts.

In six months to a year, consider a SAM programme review. If you are aiming to become ISO 19770-compliant, such regular reviews are compulsory. And they are recommended to be performed by a third party.